cmdai 0.1.0

Convert natural language to shell commands using local LLMs
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352

# Security Policy

## Overview

cmdai is a safety-first CLI tool that generates shell commands using local LLMs. Security is fundamental to our mission: we must prevent dangerous command execution while maintaining user trust in the tool.

This document outlines:
- Supported versions and security update policy
- How to report security vulnerabilities
- What qualifies as a security issue
- Our response timeline and process
- Recognition for security researchers

---

## Supported Versions

cmdai is currently in **early development** (v0.1.x). Security updates are provided for:

| Version | Supported | Notes |
|---------|-----------|-------|
| 0.1.x   | ✅ Yes    | Current development series |
| < 0.1.0 | ❌ No     | Pre-release, not recommended for use |

Once cmdai reaches v1.0.0, we will maintain security support for:
- **Latest stable release**: Full security support
- **Previous major version**: Critical security fixes only for 6 months after new major release
- **Older versions**: No security support (upgrade recommended)

---

## Reporting a Vulnerability

**DO NOT** report security vulnerabilities through public GitHub issues.

### Private Disclosure Process

We use GitHub's private security advisory system for vulnerability reports:

1. **Navigate to the Security tab**: Visit [github.com/wildcard/cmdai/security](https://github.com/wildcard/cmdai/security)

2. **Create a private security advisory**:
   - Click "Report a vulnerability"
   - Provide a clear description of the vulnerability
   - Include steps to reproduce
   - Describe the potential impact
   - Suggest a fix if possible

3. **Wait for acknowledgment**: We will respond within **48 hours** with:
   - Confirmation of receipt
   - Initial assessment of severity
   - Expected timeline for investigation

### Alternative Reporting Methods

If you cannot use GitHub's security advisory system:

- **Email maintainers** directly (email addresses listed in repository maintainer profiles)
- **Encrypted communication**: If needed, request a PGP key for sensitive disclosures

### What to Include in Your Report

A good security report includes:

- **Description**: What is the vulnerability?
- **Impact**: What can an attacker accomplish?
- **Reproduction steps**: How to trigger the vulnerability
- **Affected versions**: Which versions are vulnerable?
- **Environment**: OS, Rust version, configuration details
- **Proof of concept**: Code, commands, or screenshots demonstrating the issue
- **Suggested fix**: If you have ideas for remediation (optional)

**Example report structure**:

```
Title: Command Injection via Unescaped Model Output

Description:
The MLX backend does not properly escape special characters in model-generated
commands, allowing injection of additional commands via carefully crafted prompts.

Impact:
An attacker can execute arbitrary commands by providing a prompt that causes
the model to generate output containing shell metacharacters (;, &&, ||, etc.).

Reproduction:
1. Use MLX backend with default safety settings
2. Provide prompt: "list files" (but craft model to return "ls; rm -rf /")
3. Safety validator does not catch the injection
4. User executes the command, triggering unintended rm

Affected versions: 0.1.0 - 0.1.3

Environment:
- macOS 14.5, Apple M1
- Rust 1.75.0
- cmdai v0.1.2

Suggested fix:
Apply shell escaping using the `shell-escape` crate before passing commands
to the safety validator. Validate that model output contains only a single
command with no metacharacters outside of quoted strings.
```

---

## Response Timeline

Our commitment to security researchers:

| Timeframe | Action |
|-----------|--------|
| **48 hours** | Acknowledgment of your report |
| **7 days** | Initial assessment and severity classification |
| **14 days** | Regular status updates on investigation progress |
| **30 days** | Target fix release for critical vulnerabilities |
| **90 days** | Target fix release for moderate vulnerabilities |

For **critical** vulnerabilities (remote code execution, privilege escalation), we will:
- Prioritize investigation immediately
- Develop a fix within 7 days if possible
- Release an emergency patch version
- Coordinate disclosure timing with you

For **high/moderate** vulnerabilities, we will:
- Develop a fix for the next scheduled release
- Include the fix in the next minor version
- Coordinate disclosure after patch is available

---

## Vulnerability Scope

### In Scope - Security Issues We Address

We consider the following security vulnerabilities:

#### Safety Validation Bypasses

- **Command injection**: Ability to execute unintended commands
- **Pattern evasion**: Bypassing dangerous command detection
- **Metacharacter exploitation**: Using shell features to escape validation
- **Path traversal**: Accessing files outside intended scope
- **Privilege escalation**: Bypassing `--allow-dangerous` restrictions

**Examples**:
- Crafting prompts that cause model to generate commands that bypass safety checks
- Using shell quoting or escaping to hide dangerous patterns
- Exploiting race conditions in validation vs execution
- Unicode or encoding tricks that bypass regex patterns

#### Model Integrity and Trust

- **Model tampering**: Ability to replace cached models with malicious versions
- **Checksum bypass**: Circumventing model verification
- **Cache poisoning**: Injecting malicious models into the cache directory
- **Path substitution**: Redirecting model loading to attacker-controlled files

**Examples**:
- Modifying cached model files to generate malicious commands
- Bypassing SHA-256 checksums during model downloads
- Symlink attacks on cache directory
- TOCTOU (time-of-check-time-of-use) vulnerabilities in model loading

#### Command Execution Vulnerabilities

- **Shell injection**: Executing unintended shell code
- **Environment pollution**: Manipulating environment variables to change behavior
- **Subprocess exploitation**: Using subprocess features unsafely
- **Signal handling**: Race conditions in command execution

**Examples**:
- Injecting shell commands via `$()` or backticks
- Setting `LD_PRELOAD` or other dangerous env vars
- Exploiting `eval` or other dynamic code execution
- Race conditions between validation and execution

#### Information Disclosure

- **Sensitive data exposure**: Leaking user data, API keys, or system information
- **Prompt injection**: Extracting system prompts or internal configuration
- **Cache inspection**: Reading cached models or manifests to gain insights
- **Log leakage**: Exposing sensitive information in logs or error messages

**Examples**:
- Prompts that cause model to output configuration files
- Reading `.env` files or API keys from error messages
- Accessing other users' cached models on shared systems
- Timing attacks revealing model or system state

### Out of Scope - Issues We Do NOT Address

We do **not** consider the following as security vulnerabilities:

#### Theoretical or Impractical Attacks

- Attacks requiring physical access to the machine
- Social engineering or phishing attacks on users
- Vulnerabilities in third-party dependencies (report those upstream)
- Attacks requiring user to manually edit configuration with malicious intent

#### Model Output Quality

- Model generating incorrect or suboptimal commands (use GitHub Issues)
- Model failing to understand prompts (this is a model quality issue)
- Model output being slow or inefficient (performance issue, not security)

#### Expected Behavior

- Safety validator blocking commands you intended to run (use `--allow-dangerous`)
- Requiring confirmation for risky commands (this is intentional)
- Refusing to generate commands for destructive operations (by design)

#### Resource Exhaustion (DOS)

- Consuming disk space with large model downloads (expected usage)
- Using significant CPU/memory during inference (expected usage)
- Denial-of-service via repeated requests (rate limiting is not implemented)

**However**, if you can demonstrate **remote** or **persistent** resource exhaustion vulnerabilities, those may be in scope.

---

## Security Best Practices for Users

While using cmdai:

1. **Review generated commands** before execution, especially for sensitive operations
2. **Never use `--auto` mode** for destructive or privileged operations
3. **Keep cmdai updated** to get the latest security fixes
4. **Verify model checksums** when downloading from Hugging Face
5. **Limit `--allow-dangerous` usage** to specific, understood cases
6. **Check logs** regularly for unexpected model or command behavior
7. **Use restricted shells** if deploying cmdai in shared environments

---

## Security Development Practices

cmdai employs security-first development practices:

### Defense in Depth

We apply multiple layers of security:
1. **Input validation**: Sanitize prompts before sending to models
2. **Output validation**: Check generated commands against safety patterns
3. **Execution sandboxing**: Consider containerization for high-risk environments
4. **Least privilege**: Never run as root, minimize file permissions
5. **Fail-safe defaults**: Block dangerous operations unless explicitly allowed

### Safety Pattern Library

Our safety validator includes patterns for:
- **Filesystem destruction**: `rm -rf /`, `mkfs`, `dd if=/dev/zero`
- **Fork bombs**: `:(){ :|:& };:` and variants
- **Privilege escalation**: `sudo su`, `chmod 777 /`
- **System path tampering**: Operations on `/bin`, `/usr`, `/etc`
- **Device writes**: Direct device manipulation

See `src/safety/patterns.rs` for the complete pattern library.

### Secure Dependency Management

- **cargo-audit** runs on all PRs to detect vulnerable dependencies
- **deny.toml** configuration restricts dependency licenses and sources
- **Minimal dependencies** to reduce attack surface
- **Pinned versions** in Cargo.lock for reproducibility

### Code Review and Testing

- **Security-focused code review** for all PRs touching safety validation
- **Property-based testing** with proptest for safety validator
- **Integration tests** for command execution paths
- **Manual security testing** before releases

---

## Disclosure Policy

### Coordinated Disclosure

We practice **coordinated disclosure**:

1. **Private investigation**: We investigate reported vulnerabilities privately
2. **Fix development**: We develop and test a fix without public disclosure
3. **Coordinated release**: We release the fix and coordinate disclosure with reporter
4. **Public announcement**: We publish a security advisory with credit to reporter

### Disclosure Timeline

- **Day 0**: Vulnerability reported privately
- **Day 2**: Acknowledgment sent to reporter
- **Day 7**: Assessment and severity classification
- **Day 30**: Target fix release for critical issues
- **Day 30+**: Public disclosure after fix is released

We will work with reporters to:
- Coordinate disclosure timing
- Provide credit in security advisories
- Give advance notice of fix releases
- Respect reporter preferences for anonymity

### Public Disclosure

Once a fix is released, we will:
- Publish a **security advisory** on GitHub
- Update **CHANGELOG.md** with security fix details
- Release a **patch version** with the fix
- Notify users via **release notes** and discussions

---

## Security Hall of Fame

We recognize security researchers who help improve cmdai:

### 2025

*No security vulnerabilities have been reported yet. Be the first!*

### Recognition

Security researchers who responsibly disclose vulnerabilities receive:
- **Public acknowledgment** in security advisories (unless anonymity is preferred)
- **Credit in release notes** for the fix version
- **Hall of Fame listing** in this document
- **Priority support** for future security research

**Qualities we value**:
- **Responsible disclosure**: Following our private reporting process
- **Clear communication**: Providing detailed, actionable reports
- **Collaboration**: Working with us to verify fixes
- **Patience**: Understanding that fixes take time to develop properly

---

## Contact

For security concerns:

- **Report vulnerabilities**: [GitHub Security Advisories](https://github.com/wildcard/cmdai/security)
- **Security questions**: [GitHub Discussions](https://github.com/wildcard/cmdai/discussions) (for non-sensitive topics)
- **Maintainer contact**: See repository maintainer profiles for direct contact

---

**cmdai takes security seriously.** Thank you for helping us keep our users safe.

---

*Last updated: 2025-10-03*
*Security policy version: 1.0*